1 files changed, 17 insertions, 4 deletions
diff --git a/xdelta3/xdelta3-decode.h b/xdelta3/xdelta3-decode.h
index 19bf208..6ec200f 100644
--- a/xdelta3/xdelta3-decode.h
+++ b/xdelta3/xdelta3-decode.h
@@ -625,10 +625,23 @@ xd3_decode_sections (xd3_stream *stream)
      return xd3_decode_finish_window (stream);
    }
-  /* To avoid copying, need this much data available */
+  /* To avoid extra copying, allocate three sections at once (but
-  need = (stream->inst_sect.size +
+   * check for overflow). */
-          stream->addr_sect.size +
+  need = stream->inst_sect.size;
-          stream->data_sect.size);
+  if (USIZE_T_OVERFLOW (need, stream->addr_sect.size))
+    {
+      stream->msg = "decoder section size overflow";
+      return XD3_INTERNAL;
+    }
+  need += stream->addr_sect.size;
+  if (USIZE_T_OVERFLOW (need, stream->data_sect.size))
+    {
+      stream->msg = "decoder section size overflow";
+      return XD3_INTERNAL;
+    }
+  need += stream->data_sect.size;
  /* The window may be entirely processed. */
  XD3_ASSERT (stream->dec_winbytes <= need);

diff --git a/xdelta3/xdelta3-decode.h b/xdelta3/xdelta3-decode.h index 19bf208..6ec200f 100644 --- a/xdelta3/xdelta3-decode.h +++ b/xdelta3/xdelta3-decode.h
@@ -625,10 +625,23 @@ xd3_decode_sections (xd3_stream *stream)
625	return xd3_decode_finish_window (stream);	625	return xd3_decode_finish_window (stream);
626	}	626	}
627		627
628	/* To avoid copying, need this much data available */	628	/* To avoid extra copying, allocate three sections at once (but
629	need = (stream->inst_sect.size +	629	* check for overflow). */
630	stream->addr_sect.size +	630	need = stream->inst_sect.size;
631	stream->data_sect.size);	631
		632	if (USIZE_T_OVERFLOW (need, stream->addr_sect.size))
		633	{
		634	stream->msg = "decoder section size overflow";
		635	return XD3_INTERNAL;
		636	}
		637	need += stream->addr_sect.size;
		638
		639	if (USIZE_T_OVERFLOW (need, stream->data_sect.size))
		640	{
		641	stream->msg = "decoder section size overflow";
		642	return XD3_INTERNAL;
		643	}
		644	need += stream->data_sect.size;
632		645
633	/* The window may be entirely processed. */	646	/* The window may be entirely processed. */
634	XD3_ASSERT (stream->dec_winbytes <= need);	647	XD3_ASSERT (stream->dec_winbytes <= need);